blob: 4efd66673f5dea5b518a52b3807b2d47040ca4d0 [file] [log] [blame]
/* Code to save the iptables state, in human readable-form. */
/* (C) 1999 by Paul 'Rusty' Russell <rusty@rustcorp.com.au> and
* (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
*
* This code is distributed under the terms of GNU GPL v2
*
*/
#include "config.h"
#include <getopt.h>
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <netdb.h>
#include <unistd.h>
#include "libiptc/libiptc.h"
#include "libiptc/libip6tc.h"
#include "iptables.h"
#include "ip6tables.h"
#include "iptables-multi.h"
#include "ip6tables-multi.h"
#include "xshared.h"
static int show_counters;
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "file", .has_arg = true, .val = 'f'},
{.name = "version", .has_arg = false, .val = 'V'},
{NULL},
};
struct iptables_save_cb {
const struct xtc_ops *ops;
void (*dump_rules)(const char *chain, struct xtc_handle *handle);
};
static int
for_each_table(int (*func)(struct iptables_save_cb *cb, const char *tablename),
struct iptables_save_cb *cb)
{
int ret = 1;
FILE *procfile = NULL;
char tablename[XT_TABLE_MAXNAMELEN+1];
procfile = fopen(afinfo->proc_exists, "re");
if (!procfile) {
if (errno == ENOENT)
return ret;
fprintf(stderr, "Failed to list table names in %s: %s\n",
afinfo->proc_exists, strerror(errno));
exit(1);
}
while (fgets(tablename, sizeof(tablename), procfile)) {
if (tablename[strlen(tablename) - 1] != '\n')
xtables_error(OTHER_PROBLEM,
"Badly formed tablename `%s'\n",
tablename);
tablename[strlen(tablename) - 1] = '\0';
ret &= func(cb, tablename);
}
fclose(procfile);
return ret;
}
static int do_output(struct iptables_save_cb *cb, const char *tablename)
{
struct xtc_handle *h;
const char *chain = NULL;
if (!tablename)
return for_each_table(&do_output, cb);
h = cb->ops->init(tablename);
if (h == NULL) {
xtables_load_ko(xtables_modprobe_program, false);
h = cb->ops->init(tablename);
}
if (!h)
xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n",
cb->ops->strerror(errno));
time_t now = time(NULL);
printf("# Generated by %s v%s on %s",
xt_params->program_name, PACKAGE_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
* thereby preventing dependency conflicts */
for (chain = cb->ops->first_chain(h);
chain;
chain = cb->ops->next_chain(h)) {
printf(":%s ", chain);
if (cb->ops->builtin(chain, h)) {
struct xt_counters count;
printf("%s ", cb->ops->get_policy(chain, &count, h));
printf("[%llu:%llu]\n",
(unsigned long long)count.pcnt,
(unsigned long long)count.bcnt);
} else {
printf("- [0:0]\n");
}
}
for (chain = cb->ops->first_chain(h);
chain;
chain = cb->ops->next_chain(h)) {
cb->dump_rules(chain, h);
}
now = time(NULL);
printf("COMMIT\n");
printf("# Completed on %s", ctime(&now));
cb->ops->free(h);
return 1;
}
/* Format:
* :Chain name POLICY packets bytes
* rule
*/
static int
do_iptables_save(struct iptables_save_cb *cb, int argc, char *argv[])
{
const char *tablename = NULL;
FILE *file = NULL;
int ret, c;
while ((c = getopt_long(argc, argv, "bcdt:M:f:V", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
break;
case 'c':
show_counters = 1;
break;
case 't':
/* Select specific table. */
tablename = optarg;
break;
case 'M':
xtables_modprobe_program = optarg;
break;
case 'f':
file = fopen(optarg, "w");
if (file == NULL) {
fprintf(stderr, "Failed to open file, error: %s\n",
strerror(errno));
exit(1);
}
ret = dup2(fileno(file), STDOUT_FILENO);
if (ret == -1) {
fprintf(stderr, "Failed to redirect stdout, error: %s\n",
strerror(errno));
exit(1);
}
fclose(file);
break;
case 'd':
do_output(cb, tablename);
exit(0);
case 'V':
printf("%s v%s (legacy)\n",
xt_params->program_name,
xt_params->program_version);
exit(0);
default:
fprintf(stderr,
"Look at manual page `%s.8' for more information.\n",
xt_params->program_name);
exit(1);
}
}
if (optind < argc) {
fprintf(stderr, "Unknown arguments found on commandline\n");
exit(1);
}
return !do_output(cb, tablename);
}
#ifdef ENABLE_IPV4
static void iptables_dump_rules(const char *chain, struct xtc_handle *h)
{
const struct ipt_entry *e;
/* Dump out rules */
e = iptc_first_rule(chain, h);
while(e) {
print_rule4(e, h, chain, show_counters);
e = iptc_next_rule(e, h);
}
}
struct iptables_save_cb ipt_save_cb = {
.ops = &iptc_ops,
.dump_rules = iptables_dump_rules,
};
/* Format:
* :Chain name POLICY packets bytes
* rule
*/
int
iptables_save_main(int argc, char *argv[])
{
int ret;
iptables_globals.program_name = "iptables-save";
if (xtables_init_all(&iptables_globals, NFPROTO_IPV4) < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
iptables_globals.program_name,
iptables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions4();
#endif
ret = do_iptables_save(&ipt_save_cb, argc, argv);
xtables_fini();
return ret;
}
#endif /* ENABLE_IPV4 */
#ifdef ENABLE_IPV6
static void ip6tables_dump_rules(const char *chain, struct xtc_handle *h)
{
const struct ip6t_entry *e;
/* Dump out rules */
e = ip6tc_first_rule(chain, h);
while(e) {
print_rule6(e, h, chain, show_counters);
e = ip6tc_next_rule(e, h);
}
}
struct iptables_save_cb ip6t_save_cb = {
.ops = &ip6tc_ops,
.dump_rules = ip6tables_dump_rules,
};
/* Format:
* :Chain name POLICY packets bytes
* rule
*/
int
ip6tables_save_main(int argc, char *argv[])
{
int ret;
ip6tables_globals.program_name = "ip6tables-save";
if (xtables_init_all(&ip6tables_globals, NFPROTO_IPV6) < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
ip6tables_globals.program_name,
ip6tables_globals.program_version);
exit(1);
}
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
init_extensions();
init_extensions6();
#endif
ret = do_iptables_save(&ip6t_save_cb, argc, argv);
xtables_fini();
return ret;
}
#endif /* ENABLE_IPV6 */